Threat Analysis Unit

2020 Cybersecurity Outlook Report: Key Findings (Part 2 of 2)

Cybersecurity Outlook Report Part 2
 

In the previous blog, 2020 Cybersecurity Outlook Report: Key Findings (Part 1 of 2), the topic of discussion revolved around common attacker tactics, techniques, and procedures (TTPs) seen in 2019. To recap, some notable insights from Part 1 included the following:

  1. As attacker behavior became more evasive, there was an increase in the use of software packing and hidden windows.
  2. The energy/utilities and government sectors were the most susceptible to ransomware, suggesting that as geopolitical tensions rise, so do attacks on these sectors, which often serve as critical infrastructure and provide vital services to large populations.
  3. Wipers continued to trend upward as adversaries (especially nation-state actors) prioritized data destruction over extortion of money.

In this blog, the discussion will shift to Section 2 of the report, “Defender Behavior”, which focuses on the current relationship dynamics between IT and security teams. To validate the hypothesis that a unified IT and security strategy can help break down silos between security and IT, VMware partnered with Forrester Consulting to conduct a 624-person survey targeted towards IT/security managers, CIOs, and CISOs.

Expectations vs. Reality

IT org top priorities

As seen in the graph above, the initial observation of the relationship between IT and security teams seems positive. Both groups selected driving collaboration between each other as the top priority, but a more in-depth inspection suggests there is tension among the two teams. In subsequent questions, 77.4% of respondents expressed that IT and security have an overall negative relationship. Furthermore, 74% of respondents noted that maintaining IT hygiene is very or extremely challenging, and 73% of respondents noted that integrating security products is very or extremely challenging. Although there is alignment in shared expectations between IT and security, it is clear that the ability to execute is hindered by strained personnel relationships and difficulty maintaining technology integrations.

Staffing & Resource Concerns

At 49% each, both IT and security teams reported being understaffed, and this issue is further magnified by the C-suite’s current perception of their staffing. In contrast to the 61% of VP-and-below respondents that stated their teams are understaffed, only 31% of C-suite respondents stated these teams are understaffed. The 30-point delta suggests that the C-suite may be out of touch with the day-to-day IT and security resourcing needs for the organization.

CIO CISO structure

Along with understaffing, the current reporting structure may be just as concerning. In the majority of cases, the CISO reports to the CIO 45% of the time. However, when asked whom the CISO should report to, 37% indicated that the CISO should report to the CEO and only 26% indicated that the CISO should report to the CIO. The CISO – CIO relationship has always sparked debate, and it will be critically important for organizations to establish a fluid system to weather the rising frequency of breaches.

Security as a Team Sport

Security team sport

As seen in the chart above, the majority of survey respondents stated that various categories that pertain to IT and Security (endpoint, identity & access management, application modernization, etc.) will increasingly become a shared responsibility between the two subsets. Although currently, key business decisions are made amongst fragmented groups, the trajectory seems more optimistic, as there will be a push towards increased alignment and collaboration in critical business decisions.

Summary

To conclude, the IT-security relationship is characterized by the following 3 traits:

  1. Driving alignment between IT and security is the top priority for the majority of organizations, but a more in-depth inspection suggests there is underlying tension between the two groups.
  2. Although being understaffed is a felt issue for both IT and security, the C-suite’s perception of resource concerns tends to be less serious.
  3. In 5 years, key business decisions pertaining to security architecture, application modernization, and incident response will increasingly become a shared responsibility between IT and security.

Download the complete report for additional insight into how security can be established as an intrinsic component of an organization’s DNA – 2020 VMware Carbon Black Cybersecurity Outlook Report